The Rule of Law and the Clipper Escrow Project Last Thursday, I attended the first day of the Computer System Ssecurity and Privacy Advisory Board in Washington. This is a group of industry experts who discuss topics in computer security that should affect the public and industry. Some of the members are from users like banks and others are from service providing companies like Trusted Information Services. Lately, their discussion has centered on the NSA/NIST's Clipper/Capstone/Skipjack project and the effects it will have on society. At the last meeting, the public was invited to make comments and they were almost unanimously skeptical and critical. They ranged from political objections to the purely practical impediments. Some argued that this process of requiring the government to have the key to all conversations was a violation of the fourth amendment of the constitution prohibiting warrentless searches. Others noted that a software solution was much simpler and cheaper even if the chips were going to cost a moderate $25. There were many different objections, but practically everyone felt that a standard security system was preferable. This meeting was largely devoted to the rebutals from the government. The National Security Association, the Department of Justice, the FBI, the national association of District Attorneys and Sheriffs and several others were all testifying today. The board itself runs with a quasi-legal style they make a point of making both video and audio tapes of the presentations. The entire discussion is conducted with almost as much gravity as Congressional hearings. The entire meeting was suffused with an air of ernest lawfullness that came these speakers. All of them came from the upper ranks of the military or legal system and a person doesn't rise to such a position without adopting the careful air of the very diligent bureaucrat. People were fond of saying things like, "Oh, it's in the Federal Register. You can look it up." This is standard operating procedure in Washington agencies and second nature to many of the day's speakers. Dorothy Denning was one of the first speakers and she reported on the findings of the committee of five noted public cryptologists who agreed to give the Clipper standard a once-over. Eleven people were asked, but six declined for a variety of reasons. The review was to be classified "Secret" and some balked at this condition because they felt it would compromise their position in public. The talk made clear that the government intended to keep the standard secret for the sole purpose of preventing people from making unauthorized implementations without the law enforcement back door. Dr. Denning said that everyone at the NSA believes that the algorithm could withstand public knowledge with no trouble. The review by the panel revealed no reason why they shouldn't trust this assessment. Although lack of time lead the panel to largely rubberstamp the more extensive review by the NSA, they did conduct a few tests of their own. They programmed the algorithm on a Cray YMP, which incidentally could process 89,000 encryptions per second in single processor mode. This implementation was used for a cycling test which they found seemed to imply that there was good randomness. The test is done by repeatedly encrypting one value of data until a cycle occurs. The results agreed with what a random process should generate. They also tested the system for strength against a differential cryptanalysis attack and found it worthy. There was really very little other technical details in the talk. Saying more would have divulged something about the algorithm. My general impression is that the system is secure. Many people have played paranoid and expressed concerns that the classified algorithm might be hiding a trapdoor. It became clear to me that these concerns were really silly. There is a built-in trapdoor to be used by the government when it is "legal authorized" to intercept messages. The NSA has rarely had trouble in the past exercising either its explicitly granted legal authority or its implied authority. The phrase "national security" is a powerful pass phrase around Washington and there is no reason for me to believe that the NSA wouldn't get all of the access to the escrow database that it needs to do its job. Building in a backdoor would only leave a weakness for an opponent to exploit and that is something that is almost as sacrilidgeous at the NSA as just putting the classified secrets in a Fed Ex package to Saddam Hussein. Next there was a report from Geoff Greiveldinger , the man from the Department of Justice with the responsibility of implementing the the Key Escrow plan. After the Clipper/Capstone/SkipJack chips are manufactured, they will be programmed with an individual id number and a secret, unique key. A list is made of the id, key pairs and this list is split into two halves by taking each unique key, k, and finding two numbers a and b such that a+b=k. (+ represents XOR). One new list will go to one of the escrow agencies and one will go to the other. It will be impossible to recover the secret key without getting the list entry from both agencies. At this point, they include an additional precaution. Each list will be encrypted so even the escrow agency won't be able to know what is in its list. The key for decoding this list will be locked away in the evesdropping box. When a wiretap is authorized, each escrow agency will lookup the halves of the key that correspond to the phone being tapped and send these to evesdropping box where they will be decrypted and combined. That means that two clerks from the escrow agencies could not combine their knowledge. They would need access to a third key or an evesdropping box. It became clear that the system was not fully designed. It wasn't obvious how spontenaeous and fully automated the system would be. Mr. Greiveldinger says that he is trying to balance the tradeoffs between security and efficiency. Officers are bound to be annoyed and hampered if they can't start a tap instanteneously. The kidnapping of a child is the prototypical example of when this would be necessary. The courts also grant authority for "roving" wiretaps that allow the police to intercept calls from any number of phones. A tap like this begs out for a highly automated system for delivering the keys. I imagine that the system as it's designed will consist of escrow computers with a few clerks who have nothing to do all day. When a tap is authorized, the evesdropping box will be programmed with a private key and shipped to the agents via overnight express. When they figure out the id number of the phone being tapped, the evesdropping box will probably phone the two escrow computers, perform a bit of zero-knowledge authorization and then receive the two halves of the key. This would allow them to switch lines and conduct roving taps effectively. The NSA would presumably have a box that would allow them to decrypt messages from foreign suspects. At this point, I had just listened to an entirely logical presentation from a perfect gentleman. We had just run though a system that had many nice technological checks and balances in it. Subverting it seemed very difficult. You would need access to the two escrow agencies and an evesdropping box. Mr. Greiveldinger said that there would be many different "auditting" records that would be kept of the taps. It was very easy to feel rather secure about the whole system in a nice, air-conditioned auditorium where clean, nice legally precise people were speaking in measured tones. It was very easy to believe in the Rule of Law. To counteract this, I tried to figure out the easiest way for me to subvert the system. The simplest way is to be a police officer engaged in a stakeout of someone for whom you've already received a warrant. You request the Clipper evesdropping box on the off chance that the suspect will buy a Clipper phone and then you "lend" it to a friend who needs it. I think that the automation will allow the person who possesses the box to listen in to whatever lines that they want. The escrow agency doesn't maintain a list of people and id numbers-- they only know the list matching the id number to the secret key. There is no way that they would know that a request from the field was unreasonable. Yes, the audit trails could be used later to reconstruct what the box was used for, but that would only be necessary if someone got caught. The bribe value of this box would probably be hard to determine, but it could be very valuable. We know that the government of France is widely suspected of using its key escrow system to evesdrop on US manufacturers in France. Would they be willing to buy evesdropping time here in America? It is not uncommon to see reports of industrial espionage where the spies get millions of dollars. On the other hand, cops on the beat in NYC have been influenced for much less. The supply and demand theory of economics virtually guarantees that some deals are going to be done. It is not really clear what real effect the key escrow system is going to have on security. Yes, theives would need to raid two different buildings and steal two different copies of the tapes. This is good. But it is still impossible to figure out if the requests from the field are legitimate-- at least within the time constraints posed by urgent cases involving terrorism and kidnapping. The net effect of implementing the system is that the phone system would be substantially strengthened against nieve intruders, but the police (and those that bribe them) would still be able to evesdrop with impunity. Everyone needs to begin to do a bit of calculus between the costs and benefits of this approach. On one hand, not letting the police intercept signals will let the crooks run free but on the other hand, the crooks are not about to use Clipper phones for their secrets if they know that they can be tapped. The most interesting speaker was the assistant director of the National Security Agency, Dr. Clint Brooks. He immediately admitted that the entire Clipper project was quite unusual because the Agency was not used to dealing with the open world. Speaking before a wide audience was strange for him and he admitted that producing a very low cost commercial competitive chip was also a new challenge for them. Never-the-less, I found him to be the deepest thinker at the conference. He readily admitted that the Clipper system isn't intended to catch any crooks. They'll just avoid the phones. It is just going to deny them access to the telecommunications system. They just won't be able to go into Radio Shack and buy a secure phone that comes off the line. It was apparent that he was somewhat skeptical of the Clipper's potential for success. He said at one point the possibilities in the system made it worth taking the chance that it would succeed. If it could capture a large fraction of the market then it could help many efforts of the law enforcement and intelligence community. When I listened, though, I began to worry about what is going to happen as we begin to see the eventual blurring of data and voice communications systems. Right now, people go to Radio Shack to buy a phone. It's the only way you can use the phone system. In the future, computers, networks and telephones are going to be linked in much more sophisticated ways. I think that Intel and Microsoft are already working on such a technology. WHen this happens, programmable phones are going to emerge. People will be able to pop a new ROM in their cellular digital phone or install new software in their computer/video game/telephone. This could easily be a proprietary encryption system that scrambles everything. The traditional way of controlling technology by controlling the capital intensive manufacturing sites will be gone. Sure, the NSA and the police will go to Radio Shack and say "We want your cooperation" and they'll get it. But it's the little, slippery ones that will be trouble in the new, software world. The end of the day was dominated by a panel of Law Enforcement specialists from around the country. These were sheriffs, district attorneys, FBI agents and other officers from different parts of the system. Their message was direct and they didn't hesitate to compare encryption with assault rifles. One even said, "I don't want to see the officers outgunned in a technical arena." They repeatedly stressed the incredible safe guards placed upon the wiretapping process and described the hurdles that the officers must go through to use the system. One DA from New Jersey said that in his office, they process about 10,000 cases a year, but they only do one to two wiretaps on average. It just seems like a big hassle and expense for them. It is common for the judges to require that the officers have very good circumstantial evidence from informers before giving them the warrant. This constraint coupled with the crooks natural hesitation to use the phone meant that wiretaps weren't the world's greatest evidence producers. One moment of levity came when a board member asked what the criminals favorite type of encryption was. The police refused to answer this one and I'm not that sure if they've encountered enough cases to build a profile. At the end of all of the earnestness and "support-the-cop-on-the-beat", I still began to wonder if there was much value to wiretaps at all. The police tried to use the low numbers of wiretaps as evidence that they're not out there abusing the system, but I kept thinking that this was mainly caused by the high cost and relatively low utility of the technique. It turns out that there is an easy way to check the utility of these devices. Only 37 states allow their state and local police to use wiretaps in investigations. One member of the panel repeated the rumor that this is supposedly because major politicians were caught with wiretaps. The state legislatures in these states supposedly realized that receipients of graft and influence peddlers were the main target of wiretaps. Evesdropping just wasn't a tool against muggers. So they decided to protect themselves. It would be possible to check the crime statistics from each of these states and compare them against the evesdropping states to discover which has a better record against crime. I would like to do this if I can dig up the list of states that allow the technique. I'm sure that this would prove little, but it could possibly clarify something about this technique. It is interesting to note that the House of Representative committee on the Judiciary was holding hearings on abuses of the National Crime Information Center. They came in the same week as the latest round of Clipper hearings before the CSAB. The NCIC is a large computer system run by the FBI to provide all the police departments with a way to track down the past records of people. The widespread access to the system makes it quite vulnerable to abuse. In the hearings, the Congress heard many examples of unauthorized access. Some were as benign as people checking out employees. The worst was an ex-police officer who used the system to track down his ex-girlfriend and kill her. They also heard of a woman who looked up clients for her drug-dealing boyfriend so he could avoid the undercover cops. These hearings made it obvious that there were going to be problems determining the balance of grief. For every prototypical example of a child kidnapped to make child pornography, there is a rengade police officer out to knock off his ex-girlfriend. On the whole, the police may be much more trustworthy than the criminals, but we need to ask how often a system like Clipper will aid the bad guys. In the end, I reduced the calculus of the decision about Clipper to be a simple tradeoff. If we allow widespread, secure encryption, will the criminals take great advantage of this system? The secure phones won't be useful in rapes and random street crime, but they'll be a big aid to organized endeavors. It would empower people to protect their own information unconditionally, but at the cost of letting the criminals do the same. Built-in back doors for the law enforcement community, on the other hand, will deny the power of off-the-shelf technology to crooks, but it would also leave everyone vulnerable to organized attacks on people. I began to wonder if the choice between Clipper and totally secure encryption was moot. In either case, there would be new opportunities for both the law-abiding and the law-ignoring. The amount of crime in the country would be limited only by the number of people who devote their life to the game-- not by any new fangled technology that would shift the balance. I did not attend the Friday meeting so someone else will need to summarize the details.
Peter Wayner <pcw@access.digex.net>
The most interesting speaker was the assistant director of the National Security Agency, Dr. Clint Brooks. [...] He readily admitted that the Clipper system isn't intended to catch any crooks. [...] It was apparent that he was somewhat skeptical of the Clipper's potential for success. [...]
Assistant Director of the NSA. this is something to celebrate! break out the bubbles!
participants (2)
-
L. Detweiler
-
Peter Wayner